Cyber Resilience

CVE-2026-33250

High

Published: 24 March 2026

Published
24 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 25.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33250 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33250 is a stack overflow vulnerability (CWE-20: Improper Input Validation, CWE-121: Stack-based Buffer Overflow) affecting Freeciv21, a free open-source turn-based empire-building strategy game. Versions prior to 3.1.1 crash when receiving specially crafted packets, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue impacts both server and client components of the game.

A remote unauthenticated attacker can exploit this vulnerability to crash any public Freeciv21 server by sending malicious packets. Similarly, a malicious server can crash the game on a connecting player's machine. No authentication is required, and default logging does not provide useful information for detecting or analyzing such attacks.

Advisories recommend upgrading all Freeciv21 installations to version 3.1.1, where the issue is fixed. For non-public servers, running behind a firewall provides mitigation. Local games are unaffected, as Freeciv21 restricts connections to the current user. Details are available in the GitHub security advisory (GHSA-f76g-6w3f-f6r3), release notes for v3.1.1, the fixing commit (ad8e18ca22595529599782b2984bf44df8d69ed6), and Redmine issue 1955.

EU & UK References

Vulnerability details

Freeciv21 is a free open source, turn-based, empire-building strategy game. Versions prior to 3.1.1 crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use…

more

this to crash the game on the player's machine. Authentication is not needed and, by default, logs do not contain any useful information. All users should upgrade to Freeciv21 version 3.1.1. Running the server behind a firewall can help mitigate the issue for non-public servers. For local games, Freeciv21 restricts connections to the current user and is therefore not affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Stack overflow in public game server/client enables remote unauthenticated DoS via crafted packets (T1190 for public-facing exploitation; T1499.004 for application crash via vulnerability exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71003Shared CWE-20
CVE-2025-66786Shared CWE-20
CVE-2025-70744Shared CWE-121
CVE-2025-70243Shared CWE-121
CVE-2025-50663Shared CWE-121
CVE-2025-29121Shared CWE-121
CVE-2026-26154Shared CWE-20
CVE-2025-70238Shared CWE-121
CVE-2026-41956Shared CWE-121
CVE-2025-59383Shared CWE-121

Affected Assets

Freeciv21
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) causing stack overflow by requiring validation of specially crafted network packets before processing.

prevent

Requires timely flaw remediation through patching, such as upgrading Freeciv21 to version 3.1.1 where the stack overflow vulnerability is fixed.

prevent

Implements denial-of-service protections to block or limit the impact of remote unauthenticated attacks crashing the server or client with malicious packets.

References